From 011f319ee4371438b7640378fec1639277f0442b Mon Sep 17 00:00:00 2001 From: Christian Schneider Date: Thu, 3 May 2007 13:13:44 +0000 Subject: Close XSS and fix iframe fallback mode of loader --- itjs.class | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/itjs.class b/itjs.class index 45617e8..e49f98f 100644 --- a/itjs.class +++ b/itjs.class @@ -21,7 +21,7 @@ class itjs */ function send_headers() { - if (!preg_match('/Opera/', $_SERVER['HTTP_USER_AGENT'])) # text/plain breaks Opera 8.51/Linux + if (!preg_match('/Opera/', $_SERVER['HTTP_USER_AGENT']) && !$_REQUEST['itjs_call']) # text/plain breaks Opera 8.51/Linux and IFrame fallback header('Content-Type: text/plain; charset=iso-8859-1'); # Berni reported some Firewalls to require this header('Expires: ' . gmdate('D, d M Y H:i:s', time()+10) . ' GMT'); # prevent broken data on IE reloads @@ -35,7 +35,7 @@ function send_headers() */ function serialize($values) { - if ($callback = $_REQUEST['itjs_call']) + if ($callback = it::replace('[^\w.]' => "", $_REQUEST['itjs_call'])) { $header = ""; -- cgit v1.2.3